1. Field of the Invention
The present invention relates to an electronic system for authentication of individuals and/or messages, in particular for controlling access to a function, enabling a user conditionally to obtain a service or some other provision to be delivered by a specialized service unit associated with the system in question.
More particularly, the invention relates to a system for control of access to, or authentication of messages handled in, a computer or, more generally, a computerized network, use of which is reserved for persons having been duly legitimately entitled. Such networks may serve, for example, to provide all kinds of services entailing a transaction, usually with a monetary consideration, such as television shopping, pay television, home banking, interactive televised games, or also confidential faxes etc.
2. Description of the Related Art
The known systems of this kind generally include at least one electronic device or token, preferably portable (referred to as a "card" for convenience in the remainder of the present description) and at least one central electronic verification device (referred to as a "server" in the remainder of the description) which is intended conditionally to deliver authorizations for access to the function or service.
Such authorization is delivered only in the event of agreement or matching between a password produced in the card and a password produced in the server. These passwords are obtained by encrypting a variable with the aid of an encryption algorithm, which operations take place simultaneously in the card and in the server.
Usually, the encryption process employs a time parameter, often involving the use of clocks both in the cards and in the servers. In the ideal case, these clocks should be synchronized with one another; synchronization is difficult to achieve in practice, especially if, for obvious cost reasons, it is sought to install in the cards clocks which do not have very high accuracy.
A system exhibiting the general characteristics stated above is described in U.S. Pat. No. 4,800,590. In this system, each card includes a processor intended iteratively to calculate a password with the aid of an encryption algorithm. This latter periodically encrypts a parameter (referred to as the "seed") which is itself dependent on the parameter used for the previous calculation.
In such a system, the clocks of the card and of the server must in principle be synchronous so as to avoid unjustified denials of access (which are not from fraudulent or erroneous requests on the part of the user of the card).
However, whereas the clock of the server may be highly accurate, the same is not the case for the cards. Indeed, since a modest cost in respect of the cards is a paramount design constraint, it is not possible to incorporate in the cards expensive high-quality clocks which would be free of drift. A high level of synchronization between the clocks of the cards and of the server cannot therefore be envisioned in practice.
In U.S. Pat. No. 4,885,778, passwords are also periodically calculated during given successive time spans. A time dependent validity range is established in the server with a length much greater than the time span. When an access request is formulated, the server computes as many passwords as there are time spans contained in the time dependent validity range. If a password of the card matches with one of the passwords thus calculated in the server, access is granted. This system also requires a significant amount of calculating work in the server.
U.S. Pat. No. 5,361,062 discloses an authentication system which involves transferring to the server, at the moment at which an access request is input, a part of the time value available in the card on the basis of its clock. The example given in the patent is the minutes value of the clock at the moment of access. When the password is transferred, this value will be used in the server which examines whether the seconds value of its clock is less than or greater than 30 seconds. If this value is less, the server takes the chosen minutes value. In the contrary case, the minutes value in the server is increased by one unit. This process can operate correctly only if the clock of the card is either synchronous with the clock of the server with a predefined tolerance or lags behind the latter. If, on the other hand, the clock of the card leads that of the server, the latter will be unable to find the password calculated in the card during the access request in progress, since the server will not perform iterations until reaching that of the current minute of its own clock. In this case, no access request, even formulated legitimately, will be able to succeed. However, in incorporating low-quality clocks into the cards, which, as described above, is necessary for cost reasons, it is not possible to determine during manufacture in which direction the clock of a card will drift with respect to the clock of the server, particularly since the drift may be caused by wholly unpredictable phenomena such as temperature variations to which the card may be subjected.
Another drawback of the system according to U.S. Pat. No. 5,361,062 is that the elemental time unit clocking the password calculation iterations cannot be chosen to be very small, since the smaller the time unit, the greater the calculational burden both for the server and for the cards. Therefore, in practice, this time unit has been fixed at between 1 and 10 minutes. This implies that each password generated in the card remains valid throughout the duration of such a time unit. This impairs the security of the system, in particular when it includes several servers. A hacker can in fact obtain a password by intercepting it on the link between the card and the server and could then enter it into another server and obtain authorization of access, since he has the right password.
EP Patent Application No. 0 324 954 discloses an access control system which involves transmission to the server by the user of a synchronization data item which pertains to the number of access requests made previously. More precisely, if after calculating the password in the card and in the server there is non-agreement, the server displays a data item relating to the access requests which it has made in respect of this card. This data item must be entered into the card by the user in order to ensure that the same number of access requests is recorded in the card and in the server. This prior system has the drawback of involving the user in the synchronization procedure and of disclosing to any hacker the number of access requests made, although this value serves in the calculation of the password. It would therefore be preferable to keep it secret.